How to secure your cloud with VPC Service Controls

Рет қаралды 2,448

Күн бұрын

Пікірлер: 19

@googlecloudtech 2 ай бұрын

Want more cloud developer tips, tricks, and explainer videos? Check out more episodes of Serverless Expeditions. → goo.gle/ServerlessExpeditions

@victornoagbodji 2 ай бұрын

This is very interesting. Thanks for sharing 👍 Does this supplant or complement Cloud Armor policies?

@TheMomander 2 ай бұрын

Good question! I would say that it complements Cloud Armor. VPC Service Controls enables or disables access between projects. Cloud Armor defends against denial-of-service attacks from the public Internet. In other words, it lets some traffic through and blocks other traffic. So I think there is a good argument to use both.

@TheNataliaStrelkova 2 ай бұрын

Hi! Thanks for the question! I would like to add to Martin's reply. VPC Service Controls only works for traffic to and from Google APIs. It doesn't block any other requests. These two services offer complementary protection. I hope that helps!

@victornoagbodji 2 ай бұрын

Thanks 👍

@TheMiteshranka88 2 ай бұрын

@TheNatalia - does it mean if I whitelisted an external IP in my cloud Armor for a backend service in a project protected by vpc sc , still the request will reach to backend bcs it's coming from external IP and not from another gcp api in different project?

@TheNataliaStrelkova 2 ай бұрын

@@TheMiteshranka88 Hi! Any request coming from an external IP to your backend service will not be affected by any VPC SC rules at all, because they only apply to traffic to and from Google APIs.

@monkeydluffy2063 2 ай бұрын

what would be the difference if say I use a third party tool like tailscale to do the same thing? i.e., block all access unless my service is on a specific tailnet

@TheMomander 2 ай бұрын

Sorry, I don't know how Tailscale works, so I can't compare it with VPC Service Controls.

@luminositee 2 ай бұрын

Hi! I am also not familiar with Tailscale, but this is in-built Google Cloud functionality, providing you with highest security standards. It works seamlessly out of the box. However, the important part is that what I don't believe any third-party tool can provide you is, for example, the control of traffic between Google APIs, because it's internal Google Cloud traffic, and you can't really redirect it. So you can't really have the same protection.

@monkeydluffy2063 2 ай бұрын

@@luminositee fair point

@AVINASHSHITOLE-f1t 2 ай бұрын

Please share link for communication between two Projects where both projects are locked down with VPC Service Control Perimeter. As I see Ingress and Egress Roles provide more granular level access

@TheMomander 2 ай бұрын

If the two projects are within the same VPC Service Controls perimeter, they are not reachable from other projects or from the Internet, but they can talk to each other. You can also set up more detailed Ingress and Egress Policy in your VPC Service Control perimeter, but we didn't cover that in the video. You can see them in the video in the left-hand navbar at 3:02.

@LokeshK-v4v 2 ай бұрын

What is slots in Bigquery. Is there class in Bigquery. Why constrains are not in Bigquery

@TheMomander 2 ай бұрын

BigQuery slots are useful if you use BigQuery a lot in your organization and you know ahead of time how much processing you will need. Thank you for the suggestion!